{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27093", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-17T13:24:05.456Z", "datePublished": "2026-03-19T06:41:10.108Z", "dateUpdated": "2026-04-01T16:00:44.398Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "tripgo", "product": "Tripgo", "vendor": "ovatheme", "versions": [{"changes": [{"at": "1.5.6", "status": "unaffected"}], "lessThanOrEqual": "1.5.6", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:44:04.881Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ovatheme Tripgo tripgo allows PHP Local File Inclusion.<p>This issue affects Tripgo: from n/a through < 1.5.6.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ovatheme Tripgo tripgo allows PHP Local File Inclusion.This issue affects Tripgo: from n/a through < 1.5.6."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-01T16:00:44.398Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/tripgo/vulnerability/wordpress-tripgo-theme-1-5-3-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress Tripgo theme < 1.5.6 - Local File Inclusion vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-19T14:43:51.486368Z", "id": "CVE-2026-27093", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T14:45:33.843Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27093", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-19T14:43:51.486368Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T14:45:29.676Z"}}], "cna": {"title": "WordPress Tripgo theme < 1.5.6 - Local File Inclusion vulnerability", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "CAPEC-252 PHP Local File Inclusion"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Ovatheme", "product": "Tripgo", "versions": [{"status": "affected", "changes": [{"at": "1.5.6", "status": "unaffected"}], "version": "n/a", "lessThan": "1.5.6", "versionType": "custom"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update the WordPress Tripgo theme to the latest available version (at least 1.5.6).", "supportingMedia": [{"type": "text/html", "value": "Update the WordPress Tripgo theme to the latest available version (at least 1.5.6).", "base64": false}]}], "references": [{"url": "https://patchstack.com/database/wordpress/theme/tripgo/vulnerability/wordpress-tripgo-theme-1-5-3-local-file-inclusion-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Ovatheme Tripgo allows PHP Local File Inclusion.This issue affects Tripgo: from n/a before 1.5.6.", "supportingMedia": [{"type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Ovatheme Tripgo allows PHP Local File Inclusion.<p>This issue affects Tripgo: from n/a before 1.5.6.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-98", "description": "CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-19T06:41:10.108Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27093", "state": "PUBLISHED", "dateUpdated": "2026-03-19T14:45:33.843Z", "dateReserved": "2026-02-17T13:24:05.456Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-19T06:41:10.108Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ovatheme Tripgo tripgo allows PHP Local File Inclusion.This issue affects Tripgo: from n/a through < 1.5.6."}, {"lang": "es", "value": "La vulnerabilidad de control inadecuado del nombre de fichero para la declaraci\u00f3n include/require en un programa PHP ('Inclusi\u00f3n remota de ficheros PHP') en Ovatheme Tripgo permite la inclusi\u00f3n local de ficheros PHP. Este problema afecta a Tripgo: desde n/a antes de 1.5.6."}], "id": "CVE-2026-27093", "lastModified": "2026-04-01T17:28:37.807", "metrics": {}, "published": "2026-03-19T07:15:59.410", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/tripgo/vulnerability/wordpress-tripgo-theme-1-5-3-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.5.6)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Tripgo", "source": "cna", "vendor": "Ovatheme"}, "product": "tripgo", "vendor": "ovatheme"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-19T09:24:50.230614+00:00", "value": {"mitigation_remediation": ["Update the Tripgo theme to version 1.5.6 or later as the vendor recommends.", "Verify that the theme is not active on public sites and consider disabling it if no longer needed."], "summary": {"action": "Patch", "impact": "Local File Inclusion"}, "threat_synthesis": {"affected_systems": "WordPress installations that use the Tripgo theme with a version earlier than 1.5.6 are affected. The issue is specific to the theme\u2019s code and does not involve WordPress core, the operating system, or other plugins. Any user running Tripgo < 1.5.6 should verify if the theme is active and assess exposure.", "description_and_impact": "This vulnerability exploits an improper control of the filename in a PHP include/require statement within the Tripgo theme, identified as CWE\u201198. The flaw allows Local File Inclusion, which can enable an attacker to read arbitrary files on the server. The vendor\u2019s description does not explicitly confirm that the attacker can execute arbitrary PHP code; this capability is inferred from the typical behavior of LFI vulnerabilities that allow inclusion of a crafted PHP file. The impact is loss of confidentiality and potential integrity compromise if a malicious file is included.", "risk_and_exploitability": "The CVSS score of 8.1 indicates a high severity risk. EPSS data is unavailable, so the exact chance of exploitation is unknown. Based on the description, the likely attack vector is remote via a crafted HTTP request to the vulnerable theme\u2019s PHP endpoint; this inference is made because the vulnerability is tied to a PHP include/require statement that can be triggered externally. The flaw is not listed in the CISA KEV catalog, but administrators should treat it as a critical issue and remediate promptly."}}}}, "created": "2026-03-19T08:54:33.081642+00:00", "updated": "2026-03-20T14:15:52.742856+00:00", "vendors": ["ovatheme", "ovatheme$PRODUCT$tripgo", "wordpress", "wordpress$PRODUCT$wordpress"]}